Detect Exfiltration to Code Repository in CrowdStrike LogScale
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. Tools such as Empire have been observed using GitHub for data exfiltration, leveraging the GitHub API to stage and retrieve data as part of a C2 channel.
MITRE ATT&CK
- Tactic
- Exfiltration
- Technique
- T1567 Exfiltration Over Web Service
- Sub-technique
- T1567.001 Exfiltration to Code Repository
- Canonical reference
- https://attack.mitre.org/techniques/T1567/001/
LogScale Detection Query
// Signal 1: Large network uploads to code repository domains from scripting/git tools
#repo="base_sensor"
#event_simpleName="NetworkConnectIP4"
| ContextBaseFileName = /(?i)^(git|git\.exe|curl|curl\.exe|wget|wget\.exe|python|python\.exe|python3|python3\.exe|powershell\.exe|pwsh|pwsh\.exe|node|node\.exe|ruby|ruby\.exe|perl|perl\.exe)$/
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| join type=inner
[
#event_simpleName="DnsRequest"
| DomainName = /(?i)(github\.com|api\.github\.com|gitlab\.com|api\.gitlab\.com|bitbucket\.org|api\.bitbucket\.org|dev\.azure\.com|raw\.githubusercontent\.com|gist\.github\.com|codeberg\.org)/
| rename DomainName as CodeRepoDomain
]
on aid, RemoteAddressIP4
| eval Signal = "LargeUploadToCodeRepo"
| union
// Signal 2: Git push to external repository via command line
[
#repo="base_sensor"
#event_simpleName="ProcessRollup2"
| ImageFileName = /(?i)(\\git\.exe$|\/git$)/
| CommandLine = /(?i)push/
| CommandLine = /(?i)(github\.com|gitlab\.com|bitbucket\.org|dev\.azure\.com|codeberg\.org)/
| eval Signal = "GitPushToExternalRepo"
| eval CodeRepoDomain = case(
CommandLine = /github\.com/, "github.com",
CommandLine = /gitlab\.com/, "gitlab.com",
CommandLine = /bitbucket\.org/, "bitbucket.org",
CommandLine = /dev\.azure\.com/, "dev.azure.com",
CommandLine = /codeberg\.org/, "codeberg.org",
true(), "unknown"
)
]
| union
// Signal 3: REST API file upload to code repository APIs
[
#repo="base_sensor"
#event_simpleName="ProcessRollup2"
| ImageFileName = /(?i)(curl|curl\.exe|wget|wget\.exe|python|python\.exe|python3|python3\.exe|powershell\.exe|pwsh|pwsh\.exe|node|node\.exe|ruby|ruby\.exe)/
| CommandLine = /(?i)(api\.github\.com|api\.gitlab\.com|api\.bitbucket\.org|gist\.github\.com)/
| CommandLine = /(?i)(-X PUT|-X POST|method=.PUT|method=.POST|requests\.put|requests\.post|Invoke-RestMethod|Invoke-WebRequest|contents|gists|upload)/
| eval Signal = "CodeRepoAPIUpload"
| eval CodeRepoDomain = case(
CommandLine = /api\.github\.com/, "api.github.com",
CommandLine = /api\.gitlab\.com/, "api.gitlab.com",
CommandLine = /gist\.github\.com/, "gist.github.com",
CommandLine = /api\.bitbucket\.org/, "api.bitbucket.org",
true(), "unknown"
)
]
// Suppress known CI/CD hostnames
| ComputerName != /(?i)(jenkins|gitlab-runner|ci[-_]|build[-_]|deploy|devops|runner|bamboo|teamcity)/
// Enrich with parent process
| eval IsSuspiciousParent = case(
ParentBaseFileName = /(?i)(cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|schtasks\.exe|at\.exe|wmic\.exe|msiexec\.exe)/, true(),
true(), false()
)
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Signal, CodeRepoDomain, IsSuspiciousParent])
| eval RiskScore = case(
Signal = "GitPushToExternalRepo" AND IsSuspiciousParent = true(), 4,
Signal = "CodeRepoAPIUpload" AND IsSuspiciousParent = true(), 4,
Signal = "GitPushToExternalRepo", 3,
Signal = "CodeRepoAPIUpload", 3,
Signal = "LargeUploadToCodeRepo" AND IsSuspiciousParent = true(), 3,
Signal = "LargeUploadToCodeRepo", 2,
true(), 1
)
| where RiskScore >= 2
| sort(RiskScore, order=desc, limit=1000)CrowdStrike LogScale CQL query detecting T1567.001 exfiltration to code repositories using Falcon sensor telemetry. Correlates ProcessRollup2 and NetworkConnectIP4 events with DnsRequest events to identify: (1) large outbound network transfers from scripting or git tools to code hosting domains, (2) git push commands targeting external repository URLs, and (3) REST API file uploads via PUT/POST to repository APIs. Applies parent process suspicion scoring and suppresses known CI/CD system hostnames. Risk scoring prioritizes cases where suspicious parent processes (cmd, wscript, mshta) spawn git or scripting tools.
Data Sources
Required Tables
False Positives & Tuning
- Developer workstations where engineers routinely push code to GitHub/GitLab/Bitbucket through IDE terminal sessions or GUI git clients — these generate ProcessRollup2 git push events continuously during normal business hours and should be baselined per host
- Infrastructure automation tools (Terraform, Pulumi, CDK) running on DevOps engineer machines or bastion hosts that use curl or Python to commit generated state files, rendered Helm charts, or SBOM reports back to repositories via API
- Security scanning platforms (Snyk, Semgrep, Checkov) that run as background processes and submit findings or pull request annotations to repository APIs using POST/PUT methods with content bodies referencing specific file paths
Other platforms for T1567.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exfiltrate Data via GitHub Contents API Using PowerShell
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'api.github.com', 'Invoke-RestMethod', 'PUT', and 'token'. Sysmon Event ID 3: Network Connection from powershell.exe to api.github.com:443. PowerShell ScriptBlock Log Event ID 4104 with full API request including the encoded content. Network proxy logs show HTTPS PUT to api.github.com with outbound payload.
- Test 2Git Push Sensitive Files to External Repository from Command Shell
Expected signal: Sysmon Event ID 1: Multiple process creates — cmd.exe, git.exe (init), git.exe (add), git.exe (commit), git.exe (push) with CommandLine containing 'github.com' and '--force'. Sysmon Event ID 3: Network Connection from git.exe to github.com:443. Sysmon Event ID 11: File Create for stolen_creds.txt in %TEMP%\df00tech-exfil. Security Event ID 4688 if command line auditing enabled.
- Test 3Exfiltrate Data via GitHub Gist API Using curl
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe spawning curl.exe, CommandLine containing 'api.github.com/gists', '-X POST', and the Authorization header with PAT. Sysmon Event ID 3: Network Connection from curl.exe to api.github.com:443. Proxy logs show HTTPS POST to api.github.com/gists with outbound JSON payload.
- Test 4Automated Data Exfiltration via Python GitHub API Script
Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe and CommandLine containing 'api.github.com', 'PUT', 'urllib.request', and the Authorization token. Sysmon Event ID 3: Network Connection from python.exe to api.github.com:443. No PowerShell ScriptBlock logging (Python process); look for Python audit hooks or endpoint DLP alerts on the data access pattern (reading hosts file).
References (10)
- https://attack.mitre.org/techniques/T1567/001/
- https://github.com/EmpireProject/Empire
- https://docs.github.com/en/rest/repos/contents
- https://docs.github.com/en/rest/gists/gists
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.001/T1567.001.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Unlock Pro Content
Get the full detection package for T1567.001 including response playbook, investigation guide, and atomic red team tests.